Lines 252-261
CRNLpat = re.compile(r'[^\x21-\x7e]')
Link Here
|
252 |
def GetPathPieces(envar='PATH_INFO'): |
252 |
def GetPathPieces(envar='PATH_INFO'): |
253 |
path = os.environ.get(envar) |
253 |
path = os.environ.get(envar) |
254 |
if path: |
254 |
if path: |
|
|
255 |
remote = os.environ.get('HTTP_FORWARDED_FOR', |
256 |
os.environ.get('HTTP_X_FORWARDED_FOR', |
257 |
os.environ.get('REMOTE_ADDR', |
258 |
'unidentified origin'))) |
255 |
if CRNLpat.search(path): |
259 |
if CRNLpat.search(path): |
256 |
path = CRNLpat.split(path)[0] |
260 |
path = CRNLpat.split(path)[0] |
257 |
syslog('error', 'Warning: Possible malformed path attack.') |
261 |
syslog('error', |
258 |
return [p for p in path.split('/') if p] |
262 |
'Warning: Possible malformed path attack domain=%s remote=%s', |
|
|
263 |
get_domain(), |
264 |
remote) |
265 |
# Check for listname injections that won't be websafed. |
266 |
pieces = [p for p in path.split('/') if p] |
267 |
# Get the longest listname or 20 if none. |
268 |
if list_names(): |
269 |
longest = max([len(x) for x in list_names()]) |
270 |
else: |
271 |
longest = 20 |
272 |
if pieces and len(pieces[0]) > longest: |
273 |
syslog('mischief', |
274 |
'Hostile listname: listname=%s: remote=%s', pieces[0], remote) |
275 |
pieces[0] = pieces[0][:longest] + '...' |
276 |
return pieces |
259 |
return None |
277 |
return None |
260 |
|
278 |
|
261 |
|
279 |
|